Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, 28 June 2023, 12:11 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


New Process Injection Technique Can Bypass Detection by EDR Products

An increasingly common technique used by malware authors to evade detection is process injection. This replaces the code of an existing, trusted system process with malicious code, injected by the attacker. Because the code is executing within the context of a trusted process, it will be hard for security tools to detect it, and in some cases the technique allows completely file-less exploitation, leaving behind no artifacts on the victim's disk to be examined by malware analysts.

A new process injection technique developed by researchers at Israeli security firm Security Joes is able to evade detection by endpoint detection and response (EDR) applications. The new technique, which its developers call "Mockingjay", does not use Windows API calls such as VirtualAlloc(), VirtualAllocEx(), WriteProcessMemory() and others, which EDR applications typically hook as a means of detecting and blocking their use.

Instead, their new technique leverages a vulnerable dynamic link library - one which possesses a default Read/Write/Execute (RWX) memory section, which can then be abused to inject the desired code. Since the DLL already has RWX memory, this eliminates the need to make calls to memory allocation API's or NtWriteVirtualMemory() and NtProtectVirtualMemory(), which are also closely monitored by EDR software.

The researchers wrote a tool to search the entire Windows filesystem in search of such a DLL, and found one: msys-2.0.dll, which is part of Visual Studio 2022 Community Edition. This DLL has 16 KB of available RWX available - an ideal space for code injection and execution.

The next step was to find a method that could leverage this without making the monitored API calls. Their first approach is to load the vulnerable DLL directly and then find the RWX memory area, using the LoadLibraryW() and GetModuleInformation() system calls. In a proof-of-concept, this was then used to run code, based on the Hell's Gate technique, to create a system call stub and then jump directly into system API's in order to unhook the EDR hooks and allow further activity without observation.

A second approach is to perform process injection on a remote process, again relying on the RWX memory section in msys-2.0.dll. It turns out that this DLL is commonly used by applications that require POSIX emulation, such as GNU utilities, some of which are found in Visual Studio 2022 Community Edition. For their proof-of-concept, the researchers successfully injected code into the ssh.exe (Secure Shell) process, causing it to load yet another DLL which created a reverse shell to a remote machine. The only limitation of this technique is that targeted DLL (in this case msys-2.0.dll) cannot use Address Space Layout Randomization (ASLR) as this would require dyanmic resolution of the address of the RWX memory section.

The Security Joes blog article contains a detailed write-up which is effectively a well-written tutorial on process injection techniques. It also provides some recommendations on detection techniques.

Peixoto, Thiago, Felipe Duarte and Ido Naor, Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution, blog post, 27 June 2023. Available online at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.

Europol Investigation Leads to 6,558 Arrests

Back in 2020, French and Dutch police forces were able to infiltrate the operations of EncroChat, an encrypted mobile messaging service that offered its users - mainly criminals - hardened Android phones with just the features they needed: strong encryption, rapid device erasure with a specific PIN or remote deletion by the EncroChat help desk and a tamper-proof boot process. Despite the high price of both the device and its subscription service, EncroChat sold like hot cakes, with tens of thousands of users world wide.

The Joint Investigation Team established by the French and Dutch authorities with assistance from Eurojust and Europol was able to intercept, share and analyse over 115 million criminal conversations, by over 60,000 users. Based on the accumulated statistics from the many countries who used the shared data over the next three years, the results are:

  • 6,558 suspects arrested, including 197 High Value Targets  
  • 7,134 years of imprisonment of convicted criminals up to now
  • €739.7 million in cash seized
  • €154.1 million frozen in assets or bank accounts
  • 30.5 million drug pills seized
  • 103.5 tonnes of cocaine seized
  • 163.4 tonnes of cannabis seized
  • 3.3 tonnes of heroin seized
  • 971 vehicles seized
  • 271 estates or homes seized
  • 923 weapons seized, as well as 21 750 rounds of ammunition and 68 explosives
  • 83 boats and 40 planes seized

The investigation, conducted at Europol's headquarters under the name "Operational Task Force EMMA", also prevented violent attacks, attempted murders, large-scale drug importations and corruption. And while many of EncroChat's customers fled to another service called SkyECC, this was also penetrated and dismantled in 2021.

All in all, an impressive result.

Europol, Dismantling encrypted criminal EncroChat communications leads to over 6 500 arrests and close to EUR 900 million seized, news release, 27 June 2023. Available online at https://www.europol.europa.eu/media-press/newsroom/news/dismantling-encrypted-criminal-encrochat-communications-leads-to-over-6-500-arrests-and-close-to-eur-900-million-seized.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: